From 6189f2b9832aee980fc8e89e62000f774e0b1064 Mon Sep 17 00:00:00 2001 From: Gandalf the Greybeard Date: Fri, 20 Mar 2026 00:33:09 +0000 Subject: [PATCH 1/7] refactor: redesign E2E to use custom Docker image instead of PVC/kubectl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the PVC + kubectl-patch approach for E2E plugin deployment with a custom Docker image that has the plugin pre-installed. This eliminates all policy-violating operations: - No PVCs in kube-system - No kubectl exec/cp to Headlamp pods - No deployment patching via kubectl - No temporary pods or ConfigMap-based file transfers The new approach builds a Headlamp image with the plugin baked in (Dockerfile.e2e), deploys it as a dedicated instance in the headlamp-e2e namespace via Helm, and tears it down after tests complete. RBAC is scoped to the headlamp-e2e namespace instead of kube-system. Note: .github/workflows/e2e.yaml still needs updating to use the new scripts — that change is delegated to Hugh (CI/CD owner). Closes: privilegedescalation/headlamp-polaris-plugin#72 Co-Authored-By: Paperclip --- .gitignore | 1 + Dockerfile.e2e | 16 ++++ deployment/e2e-ci-runner-rbac.yaml | 52 ++++------- deployment/headlamp-e2e-values.yaml | 33 +++---- deployment/headlamp-plugins-pvc.yaml | 14 --- e2e/README.md | 57 ++++++----- scripts/deploy-e2e-headlamp.sh | 103 ++++++++++++++++++++ scripts/deploy-plugin-via-volume.sh | 135 --------------------------- scripts/teardown-e2e-headlamp.sh | 29 ++++++ 9 files changed, 219 insertions(+), 221 deletions(-) create mode 100644 Dockerfile.e2e delete mode 100644 deployment/headlamp-plugins-pvc.yaml create mode 100755 scripts/deploy-e2e-headlamp.sh delete mode 100755 scripts/deploy-plugin-via-volume.sh create mode 100755 scripts/teardown-e2e-headlamp.sh diff --git a/.gitignore b/.gitignore index b3320ba..a022014 100644 --- a/.gitignore +++ b/.gitignore @@ -6,5 +6,6 @@ e2e/.auth/ test-results/ .playwright-mcp/ .env +.env.e2e .env.local .eslintcache diff --git a/Dockerfile.e2e b/Dockerfile.e2e new file mode 100644 index 0000000..1553191 --- /dev/null +++ b/Dockerfile.e2e @@ -0,0 +1,16 @@ +# Dockerfile.e2e +# +# Builds a Headlamp image with the polaris plugin pre-installed. +# Used by E2E tests — not for production distribution (use ArtifactHub). +# +# Usage: +# npm run build +# docker build -f Dockerfile.e2e -t ghcr.io/privilegedescalation/headlamp-polaris-e2e:sha-abc123 . +# +# The plugin dist/ must be built before running docker build. + +ARG HEADLAMP_VERSION=latest +FROM ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION} + +COPY dist/ /headlamp/plugins/headlamp-polaris/ +COPY package.json /headlamp/plugins/headlamp-polaris/ diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 40e3bdf..5947294 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -1,57 +1,45 @@ --- -# RBAC for the GitHub Actions CI runner to perform E2E test setup. +# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance. # CI-only test fixture — NOT for production use. # -# Grants the ARC runner service account namespace-scoped permissions in -# kube-system to patch the Headlamp deployment (add shared volume mount), -# manage PVCs, run temporary pods, and restart deployments. +# Grants the ARC runner service account permissions in the headlamp-e2e +# namespace to deploy and tear down a dedicated Headlamp instance via Helm. # -# No cluster-scoped permissions needed — the E2E workflow uses kubectl patch -# instead of helm upgrade, avoiding the need to read ClusterRole/ClusterRoleBinding. +# No kube-system access needed — E2E tests use a separate namespace. +# No PVC management — plugin is baked into the Docker image. # -# Apply with: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml +# Prerequisites: +# kubectl create namespace headlamp-e2e +# kubectl apply -f deployment/e2e-ci-runner-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: e2e-ci-runner - namespace: kube-system + namespace: headlamp-e2e rules: + # Helm needs to manage these resources for the Headlamp chart + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "update", "patch", "delete", "watch"] - apiGroups: [""] - resources: ["persistentvolumeclaims"] + resources: ["services", "serviceaccounts", "configmaps", "secrets"] verbs: ["get", "list", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["pods"] - verbs: ["get", "list", "create", "delete", "watch"] + verbs: ["get", "list", "watch"] + # Token creation for E2E test auth - apiGroups: [""] - resources: ["pods/attach"] - verbs: ["create", "get"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: ["apps"] - resources: ["deployments/scale"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "list"] + resources: ["serviceaccounts/token"] + verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: e2e-ci-runner-binding - namespace: kube-system + namespace: headlamp-e2e subjects: - kind: ServiceAccount - name: local-ubuntu-latest-gha-rs-no-permission + name: runners-privilegedescalation-gha-rs-no-permission namespace: arc-runners roleRef: kind: Role diff --git a/deployment/headlamp-e2e-values.yaml b/deployment/headlamp-e2e-values.yaml index 36ab498..dbd9773 100644 --- a/deployment/headlamp-e2e-values.yaml +++ b/deployment/headlamp-e2e-values.yaml @@ -1,22 +1,23 @@ --- -# Headlamp Helm values for E2E testing with shared volume plugin deployment. +# Headlamp Helm values for E2E testing. # -# The CI runner and Headlamp pod share a PVC so that the runner can copy -# built plugin artifacts directly into Headlamp's plugins directory. -# This is a CI-only mechanism — production plugin distribution uses ArtifactHub. +# Uses a custom Docker image (built from Dockerfile.e2e) with the plugin +# pre-installed. No PVCs, no volume mounts, no deployment patching. +# +# The E2E workflow builds the image, pushes to ghcr.io, and deploys this +# Helm release in the headlamp-e2e namespace. +# +# Usage: +# helm install headlamp-e2e headlamp/headlamp \ +# -n headlamp-e2e --create-namespace \ +# -f deployment/headlamp-e2e-values.yaml \ +# --set image.registry=ghcr.io \ +# --set image.repository=privilegedescalation/headlamp-polaris-e2e \ +# --set image.tag= -# Point Headlamp at the shared plugins mount config: pluginsDir: /headlamp/plugins + watchPlugins: false -# PVC-backed volume shared with the CI runner -volumes: - - name: plugins - persistentVolumeClaim: - claimName: headlamp-plugins - -# Mount into the Headlamp container -volumeMounts: - - name: plugins - mountPath: /headlamp/plugins - readOnly: true +service: + type: ClusterIP diff --git a/deployment/headlamp-plugins-pvc.yaml b/deployment/headlamp-plugins-pvc.yaml deleted file mode 100644 index f103a21..0000000 --- a/deployment/headlamp-plugins-pvc.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# PVC for sharing built plugin artifacts between the CI runner and Headlamp. -# Used only in E2E test environments — not for production. -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: headlamp-plugins - namespace: kube-system -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi diff --git a/e2e/README.md b/e2e/README.md index 8ca4379..29d0015 100644 --- a/e2e/README.md +++ b/e2e/README.md @@ -4,7 +4,17 @@ Playwright-based smoke tests that validate the Polaris plugin against a live Hea ## CI -E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`) uses either Authentik OIDC or token-based authentication via repository secrets. +E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`): + +1. Builds the plugin +2. Builds a custom Headlamp Docker image with the plugin pre-installed (`Dockerfile.e2e`) +3. Pushes the image to `ghcr.io/privilegedescalation/headlamp-polaris-e2e:` +4. Deploys a dedicated Headlamp instance in the `headlamp-e2e` namespace via Helm +5. Generates a ServiceAccount token for test auth +6. Runs Playwright tests against the E2E instance +7. Tears down the E2E instance + +This approach avoids PVCs, kubectl exec/cp, and deployment patching. The plugin is part of the container image. ### Required GitHub Secrets @@ -12,12 +22,10 @@ Configure these in GitHub repository settings (Settings → Secrets and variable | Secret | Required | Description | | -------------------- | -------- | -------------------------------------------------------------- | -| `HEADLAMP_URL` | Optional | Headlamp instance URL (defaults to `https://headlamp.animaniacs.farh.net`) | | `AUTHENTIK_USERNAME` | OIDC | Authentik email or username for a CI user with Headlamp access | | `AUTHENTIK_PASSWORD` | OIDC | Password for that user | -| `HEADLAMP_TOKEN` | Token | Kubernetes service account token (alternative to OIDC) | -Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` **or** `HEADLAMP_TOKEN`. OIDC takes priority if both are set. +Token-based auth is auto-generated by the deploy script. OIDC secrets are only needed if testing against the shared Headlamp instance. ## Running Locally @@ -47,12 +55,12 @@ HEADLAMP_URL=http://localhost:4466 npm run e2e:headed | Variable | Required | Default | Description | | -------------------- | -------- | -------------------------------------- | --------------------------------------- | -| `HEADLAMP_URL` | No | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance | -| `AUTHENTIK_USERNAME` | OIDC | — | Authentik email/username | -| `AUTHENTIK_PASSWORD` | OIDC | — | Authentik password | -| `HEADLAMP_TOKEN` | Token | — | Kubernetes bearer token (fallback auth) | +| `HEADLAMP_URL` | No | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance | +| `AUTHENTIK_USERNAME` | OIDC | — | Authentik email/username | +| `AUTHENTIK_PASSWORD` | OIDC | — | Authentik password | +| `HEADLAMP_TOKEN` | Token | — | Kubernetes bearer token (auto-generated in CI) | -Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` or `HEADLAMP_TOKEN`. OIDC takes priority if both are set. +In CI, `HEADLAMP_URL` and `HEADLAMP_TOKEN` are set automatically by the deploy script. For local runs, set either OIDC credentials or a token manually. ## What the Tests Validate @@ -249,25 +257,26 @@ test('plugin UI adapts to dark mode', async ({ page }) => { Tests run automatically in GitHub Actions on pushes to `main` and pull requests. See `.github/workflows/e2e.yaml` for workflow configuration. -### Required Secrets +### Architecture -Configure these in GitHub repository settings (Settings → Secrets and variables → Actions): +The E2E workflow deploys a **dedicated Headlamp instance** for each test run: -- `HEADLAMP_URL` (optional): Headlamp instance URL -- `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` (for OIDC auth) -- OR `HEADLAMP_TOKEN` (for token-based auth) +1. Build plugin and Docker image (`Dockerfile.e2e`) +2. Push image to `ghcr.io/privilegedescalation/headlamp-polaris-e2e:` +3. Deploy via Helm in the `headlamp-e2e` namespace (`scripts/deploy-e2e-headlamp.sh`) +4. Run Playwright tests against the E2E instance +5. Tear down (`scripts/teardown-e2e-headlamp.sh`) -### Workflow Overview +No PVCs, no kubectl exec/cp, no patching of existing deployments. The plugin is baked into the Docker image. -1. Checkout code -2. Setup Node.js 20 with npm cache -3. Install dependencies (`npm ci`) -4. Install Playwright browsers (`chromium` only) -5. Run auth setup (creates session in `e2e/.auth/state.json`) -6. Run all E2E tests -7. Upload artifacts on failure: - - `playwright-report/` - HTML test report - - `test-results/` - Screenshots, traces, videos +### Cluster Prerequisites + +One-time setup by a cluster admin: + +```bash +kubectl create namespace headlamp-e2e +kubectl apply -f deployment/e2e-ci-runner-rbac.yaml +``` ### Manual Trigger diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh new file mode 100755 index 0000000..4b67f4c --- /dev/null +++ b/scripts/deploy-e2e-headlamp.sh @@ -0,0 +1,103 @@ +#!/usr/bin/env bash +# deploy-e2e-headlamp.sh +# +# Builds a custom Headlamp image with the polaris plugin pre-installed, +# pushes it to ghcr.io, and deploys a dedicated E2E Headlamp instance. +# +# This replaces the old PVC + kubectl-patch approach. The plugin is part +# of the container image — no PVCs, no kubectl exec/cp, no deployment +# patching required. +# +# Prerequisites: +# - Plugin built (dist/ exists) +# - Docker or buildx available +# - GHCR_TOKEN set (or GH_TOKEN with packages:write) +# - kubectl configured with cluster access +# - Helm 3 installed +# +# Environment: +# E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-e2e) +# E2E_RELEASE — Helm release name (default: headlamp-e2e) +# HEADLAMP_VERSION — base Headlamp image tag (default: latest) +# IMAGE_TAG — tag for the E2E image (default: git SHA) +set -euo pipefail + +REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" +DIST_DIR="$REPO_ROOT/dist" + +E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-e2e}" +E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" +HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" +IMAGE_REPO="ghcr.io/privilegedescalation/headlamp-polaris-e2e" +IMAGE_TAG="${IMAGE_TAG:-$(git -C "$REPO_ROOT" rev-parse --short HEAD)}" +IMAGE="${IMAGE_REPO}:${IMAGE_TAG}" + +if [ ! -d "$DIST_DIR" ]; then + echo "ERROR: dist/ not found. Run 'npm run build' first." >&2 + exit 1 +fi + +echo "=== E2E Headlamp Deployment ===" +echo " Image: $IMAGE" +echo " Namespace: $E2E_NAMESPACE" +echo " Release: $E2E_RELEASE" + +# --- Build and push the custom image --- +echo "" +echo "Building E2E Headlamp image..." +docker build -f "$REPO_ROOT/Dockerfile.e2e" \ + --build-arg "HEADLAMP_VERSION=${HEADLAMP_VERSION}" \ + -t "$IMAGE" \ + "$REPO_ROOT" + +echo "Pushing image to ghcr.io..." +docker push "$IMAGE" + +# --- Deploy with Helm --- +echo "" +echo "Adding Headlamp Helm repo..." +helm repo add headlamp https://headlamp-k8s.github.io/headlamp/ --force-update +helm repo update + +echo "Creating namespace ${E2E_NAMESPACE} (if needed)..." +kubectl create namespace "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f - + +echo "Installing/upgrading Headlamp E2E instance..." +helm upgrade --install "$E2E_RELEASE" headlamp/headlamp \ + -n "$E2E_NAMESPACE" \ + -f "$REPO_ROOT/deployment/headlamp-e2e-values.yaml" \ + --set "image.registry=ghcr.io" \ + --set "image.repository=privilegedescalation/headlamp-polaris-e2e" \ + --set "image.tag=${IMAGE_TAG}" \ + --wait \ + --timeout 120s + +echo "Waiting for rollout..." +kubectl rollout status "deployment/${E2E_RELEASE}-headlamp" \ + -n "$E2E_NAMESPACE" --timeout=120s + +# --- Generate a service URL for tests --- +SVC_URL="http://${E2E_RELEASE}-headlamp.${E2E_NAMESPACE}.svc.cluster.local" +echo "" +echo "E2E Headlamp is ready at: ${SVC_URL}" +echo " export HEADLAMP_URL=${SVC_URL}" + +# --- Generate a token for test auth --- +echo "" +echo "Creating service account token for E2E auth..." +kubectl create serviceaccount headlamp-e2e-test \ + -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f - + +TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "") +if [ -n "$TOKEN" ]; then + echo " export HEADLAMP_TOKEN=" + echo "" + echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e" + echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e" + echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN" +else + echo " WARNING: Could not generate token. Set HEADLAMP_TOKEN manually or use OIDC." +fi + +echo "" +echo "E2E deployment complete." diff --git a/scripts/deploy-plugin-via-volume.sh b/scripts/deploy-plugin-via-volume.sh deleted file mode 100755 index 8cba0fb..0000000 --- a/scripts/deploy-plugin-via-volume.sh +++ /dev/null @@ -1,135 +0,0 @@ -#!/usr/bin/env bash -# deploy-plugin-via-volume.sh -# -# Copies the built plugin into the shared PVC so Headlamp picks it up. -# Uses a temporary Kubernetes Job to write to the PVC — the CI runner -# does NOT need the PVC mounted locally. -# -# Usage: -# scripts/deploy-plugin-via-volume.sh -# -# Environment: -# HEADLAMP_NAMESPACE — namespace where Headlamp runs (default: kube-system) -# HEADLAMP_DEPLOY — Headlamp deployment name (default: headlamp) -set -euo pipefail - -REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" -HEADLAMP_NAMESPACE="${HEADLAMP_NAMESPACE:-kube-system}" -HEADLAMP_DEPLOY="${HEADLAMP_DEPLOY:-headlamp}" - -# The deployed directory name must match the package.json name and -# the registerPluginSettings name. Headlamp identifies plugins by -# reading package.json from each subdirectory of the plugins dir. -PLUGIN_DIR_NAME="headlamp-polaris" -DIST_DIR="$REPO_ROOT/dist" - -if [ ! -d "$DIST_DIR" ]; then - echo "ERROR: dist/ not found. Run 'npm run build' first." >&2 - exit 1 -fi - -echo "Deploying plugin to shared volume via temporary job..." -echo " Source: $DIST_DIR" -echo " PVC: headlamp-plugins" -echo " Plugin: $PLUGIN_DIR_NAME" - -# Create tarball of plugin dist + package.json -TAR_FILE=$(mktemp /tmp/plugin-XXXXXX.tar.gz) -tar -czf "$TAR_FILE" -C "$DIST_DIR" . -C "$REPO_ROOT" package.json -echo " Tarball: $TAR_FILE ($(du -h "$TAR_FILE" | cut -f1))" - -# Find the node where Headlamp is running — the PVC is ReadWriteOnce so -# the deploy job must land on the same node to mount it. -HEADLAMP_NODE=$(kubectl get pods -n "$HEADLAMP_NAMESPACE" \ - -l "app.kubernetes.io/name=headlamp" \ - -o jsonpath='{.items[0].spec.nodeName}' 2>/dev/null || true) -if [ -z "$HEADLAMP_NODE" ]; then - HEADLAMP_NODE=$(kubectl get pods -n "$HEADLAMP_NAMESPACE" \ - -l "app.kubernetes.io/instance=headlamp" \ - -o jsonpath='{.items[0].spec.nodeName}' 2>/dev/null || true) -fi -if [ -n "$HEADLAMP_NODE" ]; then - echo " Headlamp node: $HEADLAMP_NODE (scheduling deploy job there)" -fi - -# Clean up any previous deploy resources -kubectl delete pod plugin-deploy -n "$HEADLAMP_NAMESPACE" --ignore-not-found --wait=true 2>/dev/null || true -kubectl delete configmap plugin-tarball -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true -sleep 2 - -# Store the tarball in a ConfigMap (binary-safe via --from-file) -echo "Creating ConfigMap with plugin tarball..." -kubectl create configmap plugin-tarball \ - -n "$HEADLAMP_NAMESPACE" \ - --from-file=plugin.tar.gz="$TAR_FILE" - -# Build the Pod manifest as a temp file to avoid heredoc YAML escaping issues -POD_FILE=$(mktemp /tmp/plugin-deploy-pod-XXXXXX.yaml) - -cat > "$POD_FILE" <<'YAMLDOC' -apiVersion: v1 -kind: Pod -metadata: - name: plugin-deploy -spec: - restartPolicy: Never - containers: - - name: deploy - image: busybox:1.36 - command: ["sh", "-c"] - args: - - | - echo "Cleaning up stale plugin directories..." - rm -rf /plugins/polaris /plugins/headlamp-polaris - echo "Extracting plugin to shared volume..." - mkdir -p /plugins/PLUGIN_DIR_PLACEHOLDER - tar -xzf /tarball/plugin.tar.gz -C /plugins/PLUGIN_DIR_PLACEHOLDER - echo "Files deployed:" - ls -la /plugins/PLUGIN_DIR_PLACEHOLDER/ - volumeMounts: - - name: plugins - mountPath: /plugins - - name: tarball - mountPath: /tarball - readOnly: true - volumes: - - name: plugins - persistentVolumeClaim: - claimName: headlamp-plugins - - name: tarball - configMap: - name: plugin-tarball -YAMLDOC - -# Substitute plugin dir name -sed -i "s/PLUGIN_DIR_PLACEHOLDER/${PLUGIN_DIR_NAME}/g" "$POD_FILE" - -# Add nodeName if we know which node Headlamp is on -if [ -n "$HEADLAMP_NODE" ]; then - sed -i "/restartPolicy: Never/i\\ nodeName: ${HEADLAMP_NODE}" "$POD_FILE" -fi - -echo "Starting deploy pod..." -kubectl apply -n "$HEADLAMP_NAMESPACE" -f "$POD_FILE" -rm -f "$POD_FILE" - -# Wait for the pod to complete (Succeeded phase) -echo "Waiting for deploy pod to complete..." -kubectl wait --for=jsonpath='{.status.phase}'=Succeeded pod/plugin-deploy \ - -n "$HEADLAMP_NAMESPACE" --timeout=120s - -# Show logs -kubectl logs plugin-deploy -n "$HEADLAMP_NAMESPACE" 2>/dev/null || true - -# Clean up -kubectl delete pod plugin-deploy -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true -kubectl delete configmap plugin-tarball -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true - -rm -f "$TAR_FILE" - -# Restart Headlamp to pick up the new plugin -echo "Restarting Headlamp deployment to load plugin..." -kubectl rollout restart "deployment/$HEADLAMP_DEPLOY" -n "$HEADLAMP_NAMESPACE" -kubectl rollout status "deployment/$HEADLAMP_DEPLOY" -n "$HEADLAMP_NAMESPACE" --timeout=120s - -echo "Plugin deployed successfully." diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh new file mode 100755 index 0000000..aa83d0c --- /dev/null +++ b/scripts/teardown-e2e-headlamp.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +# teardown-e2e-headlamp.sh +# +# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh. +# +# Environment: +# E2E_NAMESPACE — namespace to clean up (default: headlamp-e2e) +# E2E_RELEASE — Helm release to uninstall (default: headlamp-e2e) +set -euo pipefail + +REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" + +E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-e2e}" +E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" + +echo "=== E2E Headlamp Teardown ===" +echo " Namespace: $E2E_NAMESPACE" +echo " Release: $E2E_RELEASE" + +echo "Uninstalling Helm release..." +helm uninstall "$E2E_RELEASE" -n "$E2E_NAMESPACE" 2>/dev/null || echo "Release not found (already removed?)" + +echo "Deleting namespace..." +kubectl delete namespace "$E2E_NAMESPACE" --ignore-not-found --wait=false + +# Clean up local env file +rm -f "$REPO_ROOT/.env.e2e" + +echo "Teardown complete." -- 2.52.0 From 8ac890a1c6b04c5efd665083e3a6618cafc3a659 Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Fri, 20 Mar 2026 01:01:11 +0000 Subject: [PATCH 2/7] ci: update E2E workflow for Docker image approach Replace PVC/kubectl-patch E2E workflow with the new Docker image approach: - Build custom Headlamp image with plugin pre-installed (Dockerfile.e2e) - Push to ghcr.io/privilegedescalation/headlamp-polaris-e2e - Deploy dedicated instance in headlamp-e2e namespace via Helm - Auto-generate auth token via deploy-e2e-headlamp.sh - Teardown after tests (always runs) No more PVCs, kubectl exec/cp, or kube-system deployment patching. --- .github/workflows/e2e.yaml | 123 ++++++++++--------------------------- 1 file changed, 32 insertions(+), 91 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index a9f1841..90df1a9 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -7,9 +7,14 @@ on: branches: [main] workflow_dispatch: +permissions: + contents: read + packages: write + env: - HEADLAMP_NAMESPACE: kube-system - HEADLAMP_DEPLOY: headlamp + E2E_NAMESPACE: headlamp-e2e + E2E_RELEASE: headlamp-e2e + IMAGE_REPO: ghcr.io/privilegedescalation/headlamp-polaris-e2e jobs: e2e: @@ -30,114 +35,50 @@ jobs: run: npm ci - name: Build plugin - run: npm run build + run: npx @kinvolk/headlamp-plugin build - - name: Setup kubectl - uses: azure/setup-kubectl@v4 - - - name: Ensure PVC exists - run: kubectl apply -f deployment/headlamp-plugins-pvc.yaml - - - name: Patch Headlamp deployment with shared volume mount + - name: Build E2E Headlamp image run: | - NS="$HEADLAMP_NAMESPACE" - DEPLOY="$HEADLAMP_DEPLOY" + IMAGE_TAG="sha-$(git rev-parse --short HEAD)" + echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV" + docker build -f Dockerfile.e2e \ + -t "${IMAGE_REPO}:${IMAGE_TAG}" . - # Check if the plugins volume and mount already exist (by name or mountPath) - DEPLOY_JSON=$(kubectl get deploy "$DEPLOY" -n "$NS" -o json) - HAS_VOL=$(echo "$DEPLOY_JSON" | \ - python3 -c "import sys,json; d=json.load(sys.stdin); vols=d['spec']['template']['spec'].get('volumes',[]); print('yes' if any(v.get('persistentVolumeClaim',{}).get('claimName')=='headlamp-plugins' or v.get('name')=='plugins' for v in vols) else '')") - HAS_MOUNT=$(echo "$DEPLOY_JSON" | \ - python3 -c "import sys,json; d=json.load(sys.stdin); mounts=d['spec']['template']['spec']['containers'][0].get('volumeMounts',[]); print('yes' if any(m.get('mountPath')=='/headlamp/plugins' or m.get('name')=='plugins' for m in mounts) else '')") + - name: Log in to ghcr.io + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin - NEEDS_PATCH=false + - name: Push E2E image + run: docker push "${IMAGE_REPO}:${IMAGE_TAG}" - if [ -z "$HAS_VOL" ]; then - echo "Adding plugins PVC volume..." - kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[ - {"op":"add","path":"/spec/template/spec/volumes/-","value":{ - "name":"plugins", - "persistentVolumeClaim":{"claimName":"headlamp-plugins"} - }} - ]' - NEEDS_PATCH=true - else - echo "Plugins volume already present, skipping." - fi - - if [ -z "$HAS_MOUNT" ]; then - echo "Adding plugins volume mount..." - kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[ - {"op":"add","path":"/spec/template/spec/containers/0/volumeMounts/-","value":{ - "name":"plugins", - "mountPath":"/headlamp/plugins", - "readOnly":true - }} - ]' - NEEDS_PATCH=true - else - echo "Plugins volume mount already present, skipping." - fi - - # Set the plugins directory via env var - kubectl set env deploy/"$DEPLOY" -n "$NS" \ - HEADLAMP_CONFIG_PLUGIN_DIR=/headlamp/plugins - - # Wait for rollout - kubectl rollout status deploy/"$DEPLOY" -n "$NS" --timeout=120s - - - name: Deploy plugin via shared volume - run: scripts/deploy-plugin-via-volume.sh - - - name: Preflight — verify Headlamp and plugin availability - env: - HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }} + - name: Deploy E2E Headlamp instance run: | - PLUGIN_NAME=$(node -p "require('./package.json').name") - EXPECTED=$(node -p "require('./package.json').version") - echo "Expecting: $PLUGIN_NAME@$EXPECTED" + export IMAGE_TAG="${IMAGE_TAG}" + scripts/deploy-e2e-headlamp.sh - # Wait for Headlamp to be reachable - for i in $(seq 1 30); do - HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 "$HEADLAMP_URL" || true) - if [ "$HTTP_CODE" != "000" ]; then - echo "Headlamp responded HTTP $HTTP_CODE" - break - fi - echo "Waiting for Headlamp... ($i/30)" - sleep 2 - done - - if [ "$HTTP_CODE" = "000" ]; then - echo "::error::Cannot reach Headlamp at $HEADLAMP_URL after 60s" + - name: Load E2E environment + run: | + if [ -f .env.e2e ]; then + cat .env.e2e >> "$GITHUB_ENV" + else + echo "::error::deploy-e2e-headlamp.sh did not produce .env.e2e" exit 1 fi - # Verify plugin is visible - PLUGIN_JSON=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins" 2>/dev/null || echo "[]") - node -e " - const plugins = JSON.parse(process.argv[1]); - console.log('Installed plugins:'); - for (const p of plugins) console.log(' ' + p.name + '@' + (p.version||'unknown')); - const ours = plugins.find(p => p.name === '$PLUGIN_NAME' || p.name === 'polaris' || p.name.includes('polaris')); - if (!ours) { - console.log('::warning::Plugin $PLUGIN_NAME not yet visible — Headlamp may need a restart'); - } else { - console.log('Found plugin: ' + ours.name + ' at path ' + ours.path); - } - " "$PLUGIN_JSON" - - name: Install Playwright browsers run: npx playwright install --with-deps chromium - name: Run E2E tests run: npm run e2e env: - HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }} - HEADLAMP_TOKEN: ${{ secrets.HEADLAMP_TOKEN }} + HEADLAMP_URL: ${{ env.HEADLAMP_URL }} + HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }} AUTHENTIK_USERNAME: ${{ secrets.AUTHENTIK_USERNAME }} AUTHENTIK_PASSWORD: ${{ secrets.AUTHENTIK_PASSWORD }} + - name: Teardown E2E instance + if: always() + run: scripts/teardown-e2e-headlamp.sh + - name: Upload Playwright report uses: actions/upload-artifact@v4 if: failure() -- 2.52.0 From 4344d3334995fa9e913394b4e6663ca82afde814 Mon Sep 17 00:00:00 2001 From: Gandalf the Greybeard Date: Fri, 20 Mar 2026 01:01:28 +0000 Subject: [PATCH 3/7] refactor: replace Dockerfile.e2e with ConfigMap volume mount for E2E plugin loading Delete custom Docker image approach per board directive. Plugin is now loaded into stock Headlamp via a ConfigMap volume mount: - Delete Dockerfile.e2e - deploy-e2e-headlamp.sh creates a ConfigMap from dist/ and mounts it into the stock ghcr.io/headlamp-k8s/headlamp image - Helm values use extraVolumes/extraVolumeMounts for the ConfigMap - No custom images, no PVCs, no kubectl exec/cp Co-Authored-By: Paperclip --- Dockerfile.e2e | 16 --------- deployment/e2e-ci-runner-rbac.yaml | 2 +- deployment/headlamp-e2e-values.yaml | 22 ++++++++---- e2e/README.md | 25 +++++++------- scripts/deploy-e2e-headlamp.sh | 52 +++++++++++++---------------- 5 files changed, 53 insertions(+), 64 deletions(-) delete mode 100644 Dockerfile.e2e diff --git a/Dockerfile.e2e b/Dockerfile.e2e deleted file mode 100644 index 1553191..0000000 --- a/Dockerfile.e2e +++ /dev/null @@ -1,16 +0,0 @@ -# Dockerfile.e2e -# -# Builds a Headlamp image with the polaris plugin pre-installed. -# Used by E2E tests — not for production distribution (use ArtifactHub). -# -# Usage: -# npm run build -# docker build -f Dockerfile.e2e -t ghcr.io/privilegedescalation/headlamp-polaris-e2e:sha-abc123 . -# -# The plugin dist/ must be built before running docker build. - -ARG HEADLAMP_VERSION=latest -FROM ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION} - -COPY dist/ /headlamp/plugins/headlamp-polaris/ -COPY package.json /headlamp/plugins/headlamp-polaris/ diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 5947294..9cac04e 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -6,7 +6,7 @@ # namespace to deploy and tear down a dedicated Headlamp instance via Helm. # # No kube-system access needed — E2E tests use a separate namespace. -# No PVC management — plugin is baked into the Docker image. +# Plugin is loaded via ConfigMap volume mount — no custom Docker images. # # Prerequisites: # kubectl create namespace headlamp-e2e diff --git a/deployment/headlamp-e2e-values.yaml b/deployment/headlamp-e2e-values.yaml index dbd9773..1c968a2 100644 --- a/deployment/headlamp-e2e-values.yaml +++ b/deployment/headlamp-e2e-values.yaml @@ -1,19 +1,17 @@ --- # Headlamp Helm values for E2E testing. # -# Uses a custom Docker image (built from Dockerfile.e2e) with the plugin -# pre-installed. No PVCs, no volume mounts, no deployment patching. -# -# The E2E workflow builds the image, pushes to ghcr.io, and deploys this -# Helm release in the headlamp-e2e namespace. +# Uses the stock Headlamp image with the plugin loaded via a ConfigMap +# volume mount. No custom Docker images — the plugin dist/ is packaged +# as a ConfigMap by deploy-e2e-headlamp.sh. # # Usage: # helm install headlamp-e2e headlamp/headlamp \ # -n headlamp-e2e --create-namespace \ # -f deployment/headlamp-e2e-values.yaml \ # --set image.registry=ghcr.io \ -# --set image.repository=privilegedescalation/headlamp-polaris-e2e \ -# --set image.tag= +# --set image.repository=headlamp-k8s/headlamp \ +# --set image.tag=latest config: pluginsDir: /headlamp/plugins @@ -21,3 +19,13 @@ config: service: type: ClusterIP + +extraVolumes: + - name: polaris-plugin + configMap: + name: headlamp-polaris-plugin + +extraVolumeMounts: + - name: polaris-plugin + mountPath: /headlamp/plugins/headlamp-polaris + readOnly: true diff --git a/e2e/README.md b/e2e/README.md index 29d0015..8b7e446 100644 --- a/e2e/README.md +++ b/e2e/README.md @@ -6,15 +6,14 @@ Playwright-based smoke tests that validate the Polaris plugin against a live Hea E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`): -1. Builds the plugin -2. Builds a custom Headlamp Docker image with the plugin pre-installed (`Dockerfile.e2e`) -3. Pushes the image to `ghcr.io/privilegedescalation/headlamp-polaris-e2e:` -4. Deploys a dedicated Headlamp instance in the `headlamp-e2e` namespace via Helm -5. Generates a ServiceAccount token for test auth -6. Runs Playwright tests against the E2E instance -7. Tears down the E2E instance +1. Builds the plugin (`npm run build`) +2. Creates a ConfigMap from the built `dist/` output +3. Deploys a stock Headlamp instance via Helm with the plugin mounted as a ConfigMap volume +4. Generates a ServiceAccount token for test auth +5. Runs Playwright tests against the E2E instance +6. Tears down the E2E instance -This approach avoids PVCs, kubectl exec/cp, and deployment patching. The plugin is part of the container image. +This approach uses the stock `ghcr.io/headlamp-k8s/headlamp` image with no custom Docker builds. The plugin is loaded via `HEADLAMP_PLUGINS_DIR` volume mount. ### Required GitHub Secrets @@ -27,6 +26,8 @@ Configure these in GitHub repository settings (Settings → Secrets and variable Token-based auth is auto-generated by the deploy script. OIDC secrets are only needed if testing against the shared Headlamp instance. +No `GHCR_TOKEN` or Docker registry secrets are needed — the stock Headlamp image is public. + ## Running Locally ### Option 1: OIDC via Authentik (same as CI) @@ -261,13 +262,13 @@ Tests run automatically in GitHub Actions on pushes to `main` and pull requests. The E2E workflow deploys a **dedicated Headlamp instance** for each test run: -1. Build plugin and Docker image (`Dockerfile.e2e`) -2. Push image to `ghcr.io/privilegedescalation/headlamp-polaris-e2e:` -3. Deploy via Helm in the `headlamp-e2e` namespace (`scripts/deploy-e2e-headlamp.sh`) +1. Build plugin (`npm run build`) +2. Create ConfigMap from `dist/` output (`scripts/deploy-e2e-headlamp.sh`) +3. Deploy stock Headlamp via Helm with ConfigMap volume mount 4. Run Playwright tests against the E2E instance 5. Tear down (`scripts/teardown-e2e-headlamp.sh`) -No PVCs, no kubectl exec/cp, no patching of existing deployments. The plugin is baked into the Docker image. +No custom Docker images, no PVCs, no kubectl exec/cp, no patching of existing deployments. The plugin is mounted from a ConfigMap into the stock Headlamp image. ### Cluster Prerequisites diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index 4b67f4c..461cd60 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -1,25 +1,19 @@ #!/usr/bin/env bash # deploy-e2e-headlamp.sh # -# Builds a custom Headlamp image with the polaris plugin pre-installed, -# pushes it to ghcr.io, and deploys a dedicated E2E Headlamp instance. -# -# This replaces the old PVC + kubectl-patch approach. The plugin is part -# of the container image — no PVCs, no kubectl exec/cp, no deployment -# patching required. +# Deploys a stock Headlamp instance with the polaris plugin loaded via +# a ConfigMap volume mount. No custom Docker images — the plugin is built +# in CI and injected as a ConfigMap. # # Prerequisites: -# - Plugin built (dist/ exists) -# - Docker or buildx available -# - GHCR_TOKEN set (or GH_TOKEN with packages:write) +# - Plugin built (dist/ exists with plugin-main.js + package.json) # - kubectl configured with cluster access # - Helm 3 installed # # Environment: # E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-e2e) # E2E_RELEASE — Helm release name (default: headlamp-e2e) -# HEADLAMP_VERSION — base Headlamp image tag (default: latest) -# IMAGE_TAG — tag for the E2E image (default: git SHA) +# HEADLAMP_VERSION — Headlamp image tag (default: latest) set -euo pipefail REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" @@ -28,9 +22,6 @@ DIST_DIR="$REPO_ROOT/dist" E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" -IMAGE_REPO="ghcr.io/privilegedescalation/headlamp-polaris-e2e" -IMAGE_TAG="${IMAGE_TAG:-$(git -C "$REPO_ROOT" rev-parse --short HEAD)}" -IMAGE="${IMAGE_REPO}:${IMAGE_TAG}" if [ ! -d "$DIST_DIR" ]; then echo "ERROR: dist/ not found. Run 'npm run build' first." >&2 @@ -38,20 +29,28 @@ if [ ! -d "$DIST_DIR" ]; then fi echo "=== E2E Headlamp Deployment ===" -echo " Image: $IMAGE" +echo " Image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}" echo " Namespace: $E2E_NAMESPACE" echo " Release: $E2E_RELEASE" -# --- Build and push the custom image --- +# --- Create namespace --- echo "" -echo "Building E2E Headlamp image..." -docker build -f "$REPO_ROOT/Dockerfile.e2e" \ - --build-arg "HEADLAMP_VERSION=${HEADLAMP_VERSION}" \ - -t "$IMAGE" \ - "$REPO_ROOT" +echo "Creating namespace ${E2E_NAMESPACE} (if needed)..." +kubectl create namespace "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f - -echo "Pushing image to ghcr.io..." -docker push "$IMAGE" +# --- Create ConfigMap from built plugin --- +echo "" +echo "Creating ConfigMap with plugin files..." + +# Delete existing ConfigMap if present (idempotent redeploy) +kubectl delete configmap headlamp-polaris-plugin \ + -n "$E2E_NAMESPACE" --ignore-not-found + +# Create ConfigMap from dist/ contents and package.json +kubectl create configmap headlamp-polaris-plugin \ + -n "$E2E_NAMESPACE" \ + --from-file="$DIST_DIR" \ + --from-file=package.json="$REPO_ROOT/package.json" # --- Deploy with Helm --- echo "" @@ -59,16 +58,13 @@ echo "Adding Headlamp Helm repo..." helm repo add headlamp https://headlamp-k8s.github.io/headlamp/ --force-update helm repo update -echo "Creating namespace ${E2E_NAMESPACE} (if needed)..." -kubectl create namespace "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f - - echo "Installing/upgrading Headlamp E2E instance..." helm upgrade --install "$E2E_RELEASE" headlamp/headlamp \ -n "$E2E_NAMESPACE" \ -f "$REPO_ROOT/deployment/headlamp-e2e-values.yaml" \ --set "image.registry=ghcr.io" \ - --set "image.repository=privilegedescalation/headlamp-polaris-e2e" \ - --set "image.tag=${IMAGE_TAG}" \ + --set "image.repository=headlamp-k8s/headlamp" \ + --set "image.tag=${HEADLAMP_VERSION}" \ --wait \ --timeout 120s -- 2.52.0 From 902f206e32d56b4c8fda92b1de2198cd94b106bb Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Fri, 20 Mar 2026 01:05:39 +0000 Subject: [PATCH 4/7] ci: update E2E workflow for ConfigMap approach Match deploy-e2e-headlamp.sh changes: - Remove Docker image build/push steps (no custom images) - Remove packages:write permission (no GHCR push needed) - Add kubectl and Helm setup steps - Deploy script creates ConfigMap from dist/ and uses stock Headlamp image --- .github/workflows/e2e.yaml | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 90df1a9..4811050 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -9,12 +9,10 @@ on: permissions: contents: read - packages: write env: E2E_NAMESPACE: headlamp-e2e E2E_RELEASE: headlamp-e2e - IMAGE_REPO: ghcr.io/privilegedescalation/headlamp-polaris-e2e jobs: e2e: @@ -31,29 +29,20 @@ jobs: node-version: '22' cache: 'npm' + - name: Setup kubectl + uses: azure/setup-kubectl@v4 + + - name: Setup Helm + uses: azure/setup-helm@v4 + - name: Install dependencies run: npm ci - name: Build plugin run: npx @kinvolk/headlamp-plugin build - - name: Build E2E Headlamp image - run: | - IMAGE_TAG="sha-$(git rev-parse --short HEAD)" - echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV" - docker build -f Dockerfile.e2e \ - -t "${IMAGE_REPO}:${IMAGE_TAG}" . - - - name: Log in to ghcr.io - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin - - - name: Push E2E image - run: docker push "${IMAGE_REPO}:${IMAGE_TAG}" - - name: Deploy E2E Headlamp instance - run: | - export IMAGE_TAG="${IMAGE_TAG}" - scripts/deploy-e2e-headlamp.sh + run: scripts/deploy-e2e-headlamp.sh - name: Load E2E environment run: | -- 2.52.0 From 0a52a8effaefc0d647b3950d4fb9c6c0feb0289e Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Fri, 20 Mar 2026 01:13:02 +0000 Subject: [PATCH 5/7] fix: remove namespace create/delete from E2E scripts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CI runner SA only has namespace-scoped RBAC in headlamp-e2e — it cannot create or delete namespaces at the cluster level. Deploy now verifies the namespace exists (with a clear error if not), and teardown cleans up resources without deleting the namespace itself. Co-Authored-By: Paperclip --- scripts/deploy-e2e-headlamp.sh | 12 +++++++++--- scripts/teardown-e2e-headlamp.sh | 10 ++++++++-- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index 461cd60..5599aa1 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -9,6 +9,7 @@ # - Plugin built (dist/ exists with plugin-main.js + package.json) # - kubectl configured with cluster access # - Helm 3 installed +# - E2E namespace pre-created by cluster admin (see deployment/e2e-ci-runner-rbac.yaml) # # Environment: # E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-e2e) @@ -33,10 +34,15 @@ echo " Image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}" echo " Namespace: $E2E_NAMESPACE" echo " Release: $E2E_RELEASE" -# --- Create namespace --- +# --- Verify namespace exists (must be pre-created by cluster admin) --- echo "" -echo "Creating namespace ${E2E_NAMESPACE} (if needed)..." -kubectl create namespace "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f - +echo "Verifying namespace ${E2E_NAMESPACE} exists..." +if ! kubectl get namespace "$E2E_NAMESPACE" >/dev/null 2>&1; then + echo "ERROR: Namespace ${E2E_NAMESPACE} does not exist." >&2 + echo "A cluster admin must create it first: kubectl create namespace ${E2E_NAMESPACE}" >&2 + echo "Then apply RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2 + exit 1 +fi # --- Create ConfigMap from built plugin --- echo "" diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh index aa83d0c..2c4ae19 100755 --- a/scripts/teardown-e2e-headlamp.sh +++ b/scripts/teardown-e2e-headlamp.sh @@ -20,8 +20,14 @@ echo " Release: $E2E_RELEASE" echo "Uninstalling Helm release..." helm uninstall "$E2E_RELEASE" -n "$E2E_NAMESPACE" 2>/dev/null || echo "Release not found (already removed?)" -echo "Deleting namespace..." -kubectl delete namespace "$E2E_NAMESPACE" --ignore-not-found --wait=false +echo "Cleaning up ConfigMap..." +kubectl delete configmap headlamp-polaris-plugin -n "$E2E_NAMESPACE" --ignore-not-found + +echo "Cleaning up service account..." +kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found + +# Note: namespace is NOT deleted — it is managed by a cluster admin. +# The runner SA only has namespace-scoped permissions (see deployment/e2e-ci-runner-rbac.yaml). # Clean up local env file rm -f "$REPO_ROOT/.env.e2e" -- 2.52.0 From 9249f151a87c40e6625862a3192124b6e84dde9d Mon Sep 17 00:00:00 2001 From: Gandalf the Greybeard Date: Fri, 20 Mar 2026 22:29:00 +0000 Subject: [PATCH 6/7] fix: add ClusterRole for runner SA to verify headlamp-e2e namespace kubectl get namespace is cluster-scoped and requires a ClusterRole. The runner SA only had a namespaced Role, causing E2E to fail with Forbidden even when the namespace existed. Adds a minimal ClusterRole restricted to get on headlamp-e2e only. Co-Authored-By: Paperclip --- deployment/e2e-ci-runner-rbac.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 9cac04e..511d6dd 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -45,3 +45,29 @@ roleRef: kind: Role name: e2e-ci-runner apiGroup: rbac.authorization.k8s.io +--- +# ClusterRole to allow the runner SA to verify the headlamp-e2e namespace +# exists before attempting namespaced operations. kubectl get namespace is a +# cluster-scoped operation not coverable by a namespaced Role. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: e2e-ci-namespace-reader +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get"] + resourceNames: ["headlamp-e2e"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: e2e-ci-namespace-reader-binding +subjects: + - kind: ServiceAccount + name: runners-privilegedescalation-gha-rs-no-permission + namespace: arc-runners +roleRef: + kind: ClusterRole + name: e2e-ci-namespace-reader + apiGroup: rbac.authorization.k8s.io -- 2.52.0 From 74a5bb0a0168f89c8eb76b0e252d775913c72d6b Mon Sep 17 00:00:00 2001 From: Gandalf the Greybeard Date: Fri, 20 Mar 2026 22:45:12 +0000 Subject: [PATCH 7/7] fix: teardown-e2e-headlamp.sh gracefully skips missing namespace When the headlamp-e2e namespace does not exist, teardown now exits early with a clear message instead of failing with a misleading RBAC error. Addresses PRI-443. Co-Authored-By: Paperclip --- scripts/teardown-e2e-headlamp.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh index 2c4ae19..d1a0025 100755 --- a/scripts/teardown-e2e-headlamp.sh +++ b/scripts/teardown-e2e-headlamp.sh @@ -13,6 +13,12 @@ REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" +# Exit early if the namespace does not exist — nothing to tear down. +if ! kubectl get namespace "$E2E_NAMESPACE" >/dev/null 2>&1; then + echo "Namespace $E2E_NAMESPACE does not exist, nothing to tear down." + exit 0 +fi + echo "=== E2E Headlamp Teardown ===" echo " Namespace: $E2E_NAMESPACE" echo " Release: $E2E_RELEASE" -- 2.52.0